---
title: Using Ping CLI in Development Environments
description: Authentication delegation patterns and OAuth client setup for Ping CLI in agent harnesses.
component: build-with-ai
page_id: build-with-ai:pingcli:agentic-development
canonical_url: https://developer.pingidentity.com/build-with-ai/pingcli/agentic-development.html
llms_txt: https://developer.pingidentity.com/build-with-ai/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: June 18, 2026
keywords: ["Ping CLI", "agent harness", "development", "sandbox", "OAuth", "authentication", "audit", "client credentials"]
section_ids:
  authentication-delegation: Authentication delegation
  human-administrator-present: Human administrator present
  fully-automated-harness-no-human-actor: Fully automated harness (no human actor)
  full-documentation: Full documentation
---

# Using Ping CLI in Development Environments

[icon: circle-check, set=far]PingOne [icon: circle-check, set=far]DaVinci [icon: circle-check, set=far]Authorize [icon: circle-check, set=far]Credentials [icon: circle-check, set=far]MFA [icon: circle-check, set=far]Protect [icon: circle-check, set=far]Verify [icon: circle-check, set=far]PingFederate

This page covers Ping CLI-specific information for agentic development: how authentication is delegated from the agent to the CLI, and how to configure OAuth clients for development and headless harnesses.

For the broader concepts, when direct agent access is appropriate, which tools to choose, and how development differs from production, refer to [Agentic development environments](../agentic-development-environments.html).

## Authentication delegation

Ping CLI manages authentication to Ping Identity platform APIs. The agent invokes CLI commands; the CLI handles token acquisition, refresh, and the underlying API calls. The agent itself never holds credentials.

![pingcli-dev-auth-flow](https://kroki.io/plantuml/svg/eNqdU01v2zAMvetXEN2lPaQ7tYcAGeCl61qg6AJsx15YibaFyKIry9m6Xz9KcrKkHyhaBoghvcdH8tEe1tb3GLADQzWOLv6iP7FytvEd-Qha_iioYceqQuDfS3Yc4NNZjj1whSFabXv08SvqdRN49GYiX-Z4hczBUJiIVY494i1Heklu-e38KWtf50LiQOcnPYzkNX0Xnf654Fn6vUrfV17mUKr_PwEcVU3y6wqDp2E4AhwA080haWV9A8ub64xrZw_RH9UYW6kbNhQyg1EuXlBYOYw1B9nGqkhh_0SqGo2NcMNNgdNJqcUCrsYO_Yx7ChjJQFvahcVCqdwuzL6kvmAO1m94TaC5kwyj0qVguSNB80OzIWiCFLzz4ouhjdWUIQ72L0bLvsCqpO20UetUNUoBf-ePMcZg78fUUGRA01l_si0ok0mCzAkanVPpmG7zeHMIpGUx85ID1sgENj4q5eVlABYbp9EBiiFbfptsKFl2iOIFh1Mh3fLEAK4htlRWuHXpVJE3kKSzlZejc49pWu6yl5-hJTQuDfZhW-WYv7pAeRR0w9bfY1nZrGiV16RQT95nbc6filxfvNfkw-y3XX7ebjJ5-kTADtPCaov3jsDWgAIbMlZnQ6dKwhsHOfapTpNFdnv4B8sboXQ=)

### Human administrator present

When a human administrator is operating the agent harness, Ping CLI can authenticate using an **authorization code grant** or **device authorization grant**. The access token is issued on behalf of the administrator, so all API calls are audited against their identity in the Ping Identity platform audit logs.

The agent harness itself is not recorded in the audit log. The audit trail shows **what was done** and **by whom (the administrator)**, but not **that an agent was involved**.

This applies to interactive development and prototyping contexts where the administrator takes responsibility for the agent's actions and the risk of harm is negligible.

### Fully automated harness (no human actor)

When the CLI runs in a fully automated harness with no human actor present, for example, in a sandboxed agent or an automated test pipeline, authentication uses a **client credentials grant**. The access token is attributed to the OAuth client, not a person.

|   |                                                                                                                                                                                                                                                                                                                                                                           |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | Where possible, define a dedicated OAuth client for each agent, agent harness, or sandbox environment. Using a shared client makes it impossible to distinguish which agent or harness produced a given audit record. A per-agent client means audit logs can be reliably attributed to a specific agent or purpose, which is valuable for both debugging and governance. |

A client should be scoped to the minimum permissions needed for the agent's task. Prefer short token lifetimes and rotate client secrets regularly.

## Full documentation

The complete Ping CLI reference; installation, service connections, configuration profiles, and the full command reference is at the [Ping CLI documentation site](https://developer.pingidentity.com/pingcli).
